Heiko Schlittermann (HS12-RIPE) [Thu, 28 Jan 2016 21:20:33 +0000 (22:20 +0100)]
Fix CVE-2016-1531
Add keep_environment, add_environment.
Change the working directory to "/" during the early startup
phase.
(cherry picked from commit
fa927caf12b309a2c984ddff1adf4a299186d887)
(cherry picked from commit
bc3c7bb7d4aba3e563434e5627fe1f2176aa18c0)
(cherry picked from commit
2b92b67bfc33efe05e6ff2ea3852731ac2273832)
(cherry picked from commit
14b82c8b736c8ed24eda144f57703cb9feac6323)
(cherry picked from commit
9ca92d0c6e9c6f161bd8111366c6952d3a9315e2)
(cherry picked from commit
0020c6d9ecfd98ed7b2b337ed4f898fdc409784b)
(cherry picked from commit
e8f96966360ea8867ad6a8b5affda6c37fa4958c)
(cherry picked from commit
ef6fb807c1e1a665f444f644c60c77269f7c5209)
Jeremy Harris [Mon, 5 Jan 2015 23:40:11 +0000 (23:40 +0000)]
Docs: move description of modifiers on dnsdb lookups to a separate section
Jeremy Harris [Sun, 4 Jan 2015 09:22:58 +0000 (09:22 +0000)]
Docs: expand/reword entry on cutthrough delivery option
Jeremy Harris [Thu, 1 Jan 2015 21:47:10 +0000 (21:47 +0000)]
Avoid crash with badly-terminated non-recognised mime parameter
Jeremy Harris [Tue, 30 Dec 2014 20:39:02 +0000 (20:39 +0000)]
Fix crash in mime acl when a parameter is unterminated
Verified-by: Wolfgang Breyha <wbreyha@gmx.net>
Jeremy Harris [Tue, 30 Dec 2014 11:40:41 +0000 (11:40 +0000)]
Update ChangeLog
Jeremy Harris [Sat, 27 Dec 2014 20:35:08 +0000 (20:35 +0000)]
Testsuite: case for malware= cmdline
Jeremy Harris [Thu, 25 Dec 2014 13:30:12 +0000 (13:30 +0000)]
Fix null-indirection in certextract expansion
Found-by: Roman Rybalko
Jeremy Harris [Wed, 24 Dec 2014 17:05:39 +0000 (17:05 +0000)]
Docs thinko
Jeremy Harris [Mon, 22 Dec 2014 15:34:22 +0000 (15:34 +0000)]
Use TIME_T_FMT for formatting tv_sec. Bug 1561
Todd Lyons [Mon, 22 Dec 2014 13:30:59 +0000 (05:30 -0800)]
Bug 1547: Omit RFCs from release tarball docs dir
RFC Drafts and RFCs have licenses which are problematic for Debian
distribution. Omit them from the release tarball.
Jeremy Harris [Sun, 21 Dec 2014 21:32:13 +0000 (21:32 +0000)]
Testsuite: cases for malware= interfaces to f-protd, aveserver, fsecure, soophie & clamav
There are running against scripts not the rea thing
so only useful for spotting gross breakage.
Wolfgang Breyha [Fri, 19 Dec 2014 15:51:45 +0000 (15:51 +0000)]
EXPERIMENTAL_DSN: use the SMTP return messsage for Diagnostic-Code lines. Bug 1559
Minor tweaking by JH.
Jeremy Harris [Tue, 16 Dec 2014 15:02:48 +0000 (15:02 +0000)]
Testsuite: move testcase (requires plaintext authenticator)
Jeremy Harris [Sun, 14 Dec 2014 18:58:45 +0000 (18:58 +0000)]
Testsuite: additional crypto cypher useable
Seen on Fedora 21 / OpenSSL 1.0.1j-fips
Jeremy Harris [Sun, 14 Dec 2014 17:31:44 +0000 (17:31 +0000)]
Revert "Testsuite: Use explicit interface for send to localhost"
This reverts commit
30079bc1d20c0473d012ef33654358cfadb0a2ff.
The buildfarm member running FreeBSD 10.0 was not fixed by that commit,
as was hoped.
Jeremy Harris [Sun, 14 Dec 2014 15:15:34 +0000 (15:15 +0000)]
Account properly for quoted or 2047-encoded MIME parameters while walking headers. Bug 1558
Jeremy Harris [Sat, 13 Dec 2014 20:18:39 +0000 (20:18 +0000)]
Testsuite: Use explicit interface for send to localhost
FreeBSD is more lax in its choice of local address to bind; the
difference is just noise in testcase output.
Jeremy Harris [Tue, 9 Dec 2014 10:41:00 +0000 (10:41 +0000)]
Docs clarification
Jeremy Harris [Fri, 5 Dec 2014 15:17:10 +0000 (15:17 +0000)]
Docs typo
Jeremy Harris [Thu, 4 Dec 2014 19:17:47 +0000 (19:17 +0000)]
Fail a DANE-mode verify on totally missing certificate
Jeremy Harris [Thu, 4 Dec 2014 18:39:28 +0000 (18:39 +0000)]
Docs: clarify interaction of DANE and CA-based certificate verification options
Jeremy Harris [Wed, 3 Dec 2014 21:09:54 +0000 (21:09 +0000)]
Testsuite: add more DANE testcases
Todd Lyons [Mon, 1 Dec 2014 15:24:17 +0000 (07:24 -0800)]
Set previous version in doc XML
Jeremy Harris [Sun, 30 Nov 2014 17:34:00 +0000 (17:34 +0000)]
Docs: update drweb malware scanner interface description
Jeremy Harris [Sat, 29 Nov 2014 22:20:05 +0000 (22:20 +0000)]
Compiler quietening. Bug 1555
Jeremy Harris [Sat, 29 Nov 2014 21:50:23 +0000 (21:50 +0000)]
Document interface to f-protd av_scanner type. Bug 923
Jeremy Harris [Sat, 29 Nov 2014 19:05:28 +0000 (19:05 +0000)]
Testsuite: treat ECONNRESET the same as ECONNREFUSED on the new connection
Jeremy Harris [Sat, 29 Nov 2014 17:30:27 +0000 (17:30 +0000)]
Testsuite: fix feature name
Jeremy Harris [Sat, 29 Nov 2014 16:28:15 +0000 (16:28 +0000)]
Compiler quietening
Jeremy Harris [Fri, 28 Nov 2014 19:26:10 +0000 (19:26 +0000)]
Git: ignore a few more nonsource files
Jeremy Harris [Fri, 28 Nov 2014 19:10:05 +0000 (19:10 +0000)]
Testsuite: avoid ipv6 when testing retry data
Some test hosts cannot do ipv6. We assume that ipv4 is available.
Jeremy Harris [Thu, 27 Nov 2014 16:26:44 +0000 (16:26 +0000)]
Fix buffer overrun in spam= acl condition. Bug 1552
Jeremy Harris [Wed, 26 Nov 2014 17:40:00 +0000 (17:40 +0000)]
Testsuite: sort output of retry DB dumps
Different systems will have dump output in different order
so to tidy up the Solaris runs, sort pairs of lines by the
leading "word".
Jeremy Harris [Tue, 25 Nov 2014 22:12:42 +0000 (22:12 +0000)]
Testsuite: "echo -n" portability - use printf(1) if possible
Jeremy Harris [Tue, 25 Nov 2014 17:11:50 +0000 (17:11 +0000)]
Error the build if DANE included but DNSSEC not available
Nigel Metheringham [Tue, 25 Nov 2014 08:46:52 +0000 (08:46 +0000)]
Docs typo in index entry. Fixes: #1551
Jeremy Harris [Sun, 23 Nov 2014 16:16:11 +0000 (16:16 +0000)]
Document OpenSSL behaviour on system default CA bundle
Jeremy Harris [Sat, 22 Nov 2014 19:19:09 +0000 (19:19 +0000)]
Docs: fix missing quotes
Jeremy Harris [Fri, 21 Nov 2014 16:52:38 +0000 (16:52 +0000)]
Docs: crossref $sending_ip_address. Bug 1319
Jeremy Harris [Fri, 21 Nov 2014 15:12:17 +0000 (15:12 +0000)]
Testsuite: case 0601 logging ordering
Jeremy Harris [Fri, 21 Nov 2014 13:52:22 +0000 (13:52 +0000)]
Update RFC conformance notes
Jeremy Harris [Fri, 21 Nov 2014 13:21:48 +0000 (13:21 +0000)]
Testsuite: debugging Solaris run ordering issue. Log +received_recipients
Jeremy Harris [Thu, 20 Nov 2014 20:17:32 +0000 (20:17 +0000)]
When following a CNAME chain, if any lookup is insecure the whole must be too
Jeremy Harris [Thu, 20 Nov 2014 20:16:58 +0000 (20:16 +0000)]
Const-ification
Jeremy Harris [Thu, 20 Nov 2014 16:14:47 +0000 (16:14 +0000)]
Const-ification
Jeremy Harris [Thu, 20 Nov 2014 16:46:48 +0000 (16:46 +0000)]
Fix copying of host_used in smtp transport
Following c562f "More regular logging use of H=<name> [<ip>]" there
were error cases where a host-item that was being expanded per-call
was used. Move the copy earlier so these are covered.
Jeremy Harris [Tue, 18 Nov 2014 19:56:44 +0000 (19:56 +0000)]
Testsuite: msglog files
Jeremy Harris [Tue, 18 Nov 2014 19:43:09 +0000 (19:43 +0000)]
Compiler quietening
Jeremy Harris [Sun, 16 Nov 2014 20:57:10 +0000 (20:57 +0000)]
Fix debug output of name of transport option list being matched
Jeremy Harris [Sat, 15 Nov 2014 21:11:23 +0000 (21:11 +0000)]
Test case for retry_include_ip_address
Jeremy Harris [Sun, 16 Nov 2014 13:54:01 +0000 (13:54 +0000)]
docs typo
Todd Lyons [Thu, 13 Nov 2014 21:15:13 +0000 (13:15 -0800)]
Add items to NewStuff
Jeremy Harris [Thu, 13 Nov 2014 17:14:09 +0000 (17:14 +0000)]
ChangeLog entries for minor feates and fixes since 4.84
Todd Lyons [Wed, 12 Nov 2014 17:23:24 +0000 (09:23 -0800)]
Move DANE desgin doc, drop extra dane drafts
Jeremy Harris [Wed, 12 Nov 2014 15:49:28 +0000 (15:49 +0000)]
Testsuite: munge for unrelated test affected by EXPERIMENTAL_CERTNAMES
Jeremy Harris [Wed, 12 Nov 2014 14:47:01 +0000 (14:47 +0000)]
Testsuite: 0393 intermittently spits an extra stderr line. Unimportant
for the testcase, so ignore it.
Jeremy Harris [Mon, 10 Nov 2014 16:41:12 +0000 (16:41 +0000)]
Handle UTC vs specified-timezone for certificate extractors. Bug 1541
Jeremy Harris [Sat, 8 Nov 2014 23:45:00 +0000 (23:45 +0000)]
Testsuite: additional dns zone for certificate name testing
Jeremy Harris [Sat, 8 Nov 2014 13:24:21 +0000 (13:24 +0000)]
Fix smtp transport certificate-verification option matching to use correct host
Fix certificate name verification done with tls_try_verify_hosts
Affected tls_verify_hosts, tls_try_verify_hosts, tls_verify_cert_hostnames.
Jeremy Harris [Thu, 6 Nov 2014 21:22:18 +0000 (21:22 +0000)]
EXPERIMENTAL_CERTNAMES: Hostlist for cert name checks should match host
connected-to, not be list of acceptable names. The name checked is the
host name.
Jeremy Harris [Wed, 5 Nov 2014 18:24:00 +0000 (18:24 +0000)]
Do not permit multi-component wildcards on certificate names (OpenSSL, EXPERIMENTAL_CERTNAMES)
Jeremy Harris [Sun, 26 Oct 2014 21:06:46 +0000 (21:06 +0000)]
Do not permit multi-component wildcards on certificate names (OpenSSL)
Jeremy Harris [Wed, 5 Nov 2014 17:31:34 +0000 (17:31 +0000)]
Add doc examples for disabling SSLv3
Jeremy Harris [Tue, 4 Nov 2014 15:13:00 +0000 (15:13 +0000)]
Fix dnssec indication variable when used from verify-callout smtp:commect event
Jeremy Harris [Mon, 3 Nov 2014 15:48:31 +0000 (15:48 +0000)]
Tweak docs on difference between "local" and "remote" source messages
Jeremy Harris [Mon, 3 Nov 2014 15:48:15 +0000 (15:48 +0000)]
Testsuite: tidying
Jeremy Harris [Sat, 1 Nov 2014 11:37:36 +0000 (11:37 +0000)]
Testsuite: tidying
Jeremy Harris [Thu, 30 Oct 2014 20:48:02 +0000 (20:48 +0000)]
Fix cert-try-verify when denied by event action
Jeremy Harris [Thu, 30 Oct 2014 20:32:14 +0000 (20:32 +0000)]
Test suite: disable OCSP for old openssl part 3
Jeremy Harris [Thu, 30 Oct 2014 18:52:45 +0000 (18:52 +0000)]
Fix dnssec indication variable when used from smtp:commect event
Jeremy Harris [Thu, 30 Oct 2014 12:12:31 +0000 (12:12 +0000)]
For connects and certificate-verifies denied by event actions, log
the string resulting from the event expansion
Todd Lyons [Wed, 29 Oct 2014 14:50:41 +0000 (07:50 -0700)]
Test suite: disable OCSP for old openssl part 2
Make sure to only disable this if building for openssl, allow gnutls
to build with OCSP for all versions that support it.
Todd Lyons [Wed, 29 Oct 2014 14:26:17 +0000 (07:26 -0700)]
Test suite: disable OCSP for old OpenSSL versions
OpenSSL 0.9.8 in CentOS 5.x has early OCSP support, but not stapling
so just completely disable OCSP using the same logic that exists
in tls-openssl.c.
Jeremy Harris [Wed, 29 Oct 2014 12:57:55 +0000 (12:57 +0000)]
Testsuite: compiler quietening
Jeremy Harris [Wed, 29 Oct 2014 12:57:00 +0000 (12:57 +0000)]
Testsuite: tidying
Jeremy Harris [Tue, 28 Oct 2014 14:42:10 +0000 (14:42 +0000)]
Testsuite: compiler quietening
Jeremy Harris [Sun, 26 Oct 2014 23:35:32 +0000 (23:35 +0000)]
Testsuite: output changes for ipv6
Jeremy Harris [Sun, 26 Oct 2014 22:57:00 +0000 (22:57 +0000)]
Do not claim OCSP support when compiled with too-old GnuTLS version
Jeremy Harris [Sun, 26 Oct 2014 22:14:03 +0000 (22:14 +0000)]
Fix cert-try-verify when denied by event action
Jeremy Harris [Sun, 26 Oct 2014 17:37:52 +0000 (17:37 +0000)]
Testcase 0601: move udpsend action from connect to rcpt ACL
Some test runs were seeing the receiving perl output before the exim startup banner;
try to get the udpsend to happpen after the banner gets a chance to be emitted.
Jeremy Harris [Sun, 26 Oct 2014 17:48:33 +0000 (17:48 +0000)]
Testsuite: increase default "client" utility connect timeout from 1 to 5 seconds
Jeremy Harris [Sun, 26 Oct 2014 17:29:24 +0000 (17:29 +0000)]
Testsuite: use different exit codes for various fail modes of "client" utility
Jeremy Harris [Sun, 26 Oct 2014 17:15:20 +0000 (17:15 +0000)]
Fix feature-ifdef for OpenSSL builtin certname checking
Jeremy Harris [Sun, 26 Oct 2014 15:51:55 +0000 (15:51 +0000)]
Testsuite: extend timeout on troublesom test
Testcase 0035 persistently fails with "status 99" on some buildfarm
animals. Try extending the connect timeout used by the "client" utility
to see if this helps.
Jeremy Harris [Sun, 26 Oct 2014 14:54:28 +0000 (14:54 +0000)]
Expand commentary on certificate files
Jeremy Harris [Thu, 23 Oct 2014 17:22:33 +0000 (18:22 +0100)]
Add event for inbound cert visibility
Jeremy Harris [Thu, 23 Oct 2014 17:18:43 +0000 (18:18 +0100)]
Make transport name available in verify-callouts. Add verify_mode variable
Jeremy Harris [Sat, 18 Oct 2014 19:38:07 +0000 (20:38 +0100)]
Rename facility to Event Actions, ifdeffed on EXPERIMENTAL_EVENT
Jeremy Harris [Fri, 24 Oct 2014 10:12:20 +0000 (11:12 +0100)]
Testsuite: more portable implementation of "showenv"
At least one Solaris installation seems not to have "whoami"
Todd Lyons [Thu, 23 Oct 2014 19:27:41 +0000 (12:27 -0700)]
Test suite continue past unexpected client errors
Todd Lyons [Wed, 22 Oct 2014 19:40:33 +0000 (12:40 -0700)]
Merge branch 'master' of ssh://git.exim.org/home/git/exim
Todd Lyons [Wed, 22 Oct 2014 19:40:08 +0000 (12:40 -0700)]
Fix labels in testsuite conf files
Jeremy Harris [Sun, 12 Oct 2014 16:51:56 +0000 (17:51 +0100)]
Make $host available in tpda delivery event, for cutthrough. Bug 1529
Jeremy Harris [Thu, 25 Sep 2014 21:20:33 +0000 (22:20 +0100)]
More regular logging use of H=<name> [<ip>]
Note this may affect utilities which parse logs.
Jeremy Harris [Wed, 22 Oct 2014 12:41:57 +0000 (13:41 +0100)]
Testsuite outputs: ipv6
Jeremy Harris [Sat, 18 Oct 2014 17:51:16 +0000 (18:51 +0100)]
Compiler quietening
Todd Lyons [Mon, 20 Oct 2014 14:16:04 +0000 (07:16 -0700)]
Merge branch 'master' of ssh://git.exim.org/home/git/exim
Todd Lyons [Mon, 20 Oct 2014 14:14:42 +0000 (07:14 -0700)]
Test suite: completely omit 127/8 IPs
Jeremy Harris [Thu, 16 Oct 2014 18:11:45 +0000 (19:11 +0100)]
Handle certificate dir under GnuTLS, if recent enough
Add testcases for certificate directories
The GnuTLS implementation has been tested on Fedora 21 (alpha),
using GnuTLS 3.3.9. The testsuite case is here but with the
script commented-out. When enabled, the log/mail/stdout/stderr
files will be created fresh.